PatchSiren cyber security CVE debrief
CVE-2024-24954 AutomationDirect CVE debrief
A null-byte write vulnerability in the Programming Software Connection FileSystem API of AutomationDirect Productivity PLCs allows remote attackers to cause heap-based memory corruption via specially crafted network packets. The vulnerability affects multiple CPU models across the Productivity 1000, 2000, and 3000 series running specific firmware and software versions. With a CVSS 3.1 score of 8.2 (High), this vulnerability poses significant risk to industrial control environments due to its network attack vector, low attack complexity, and high availability impact. The vulnerability was disclosed by CISA on May 23, 2024, with coordinated vendor remediation guidance.
- Vendor
- AutomationDirect
- Product
- Productivity 3000 P3-550E CPU
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-23
- Original CVE updated
- 2024-05-23
- Advisory published
- 2024-05-23
- Advisory updated
- 2024-05-23
Who should care
Organizations operating AutomationDirect Productivity 1000, 2000, or 3000 series PLCs in industrial automation environments, particularly those with network-connected control systems. Critical infrastructure operators, manufacturing facilities, and any deployment where PLC availability is essential for operational continuity should prioritize assessment and remediation.
Technical summary
The vulnerability exists in the Programming Software Connection FileSystem API functionality of affected AutomationDirect Productivity PLCs. A null-byte write condition can be triggered by specially crafted network packets, leading to heap-based memory corruption. The attack requires no authentication and can be executed remotely over the network. Successful exploitation may result in denial of service conditions due to the high availability impact, with potential for limited integrity impact. The vulnerability affects firmware versions 1.2.10.9 and 1.2.10.10 across multiple CPU models, as well as Productivity Suite software version 4.1.1.10.
Defensive priority
HIGH
Recommended defensive actions
- Update Productivity Suite programming software to version 4.2.0.x or higher for all affected systems
- Update Productivity PLC firmware to the latest available version from AutomationDirect
- Physically disconnect affected PLCs from external networks including internet and LAN connections where immediate patching is not feasible
- Implement network segmentation to isolate affected PLCs from other organizational systems
- Deploy firewall rules or network access control (NAC) policies to restrict traffic to affected PLCs
- Conduct thorough network security analysis to determine appropriate security controls for automation control system environments
- Review AutomationDirect security considerations documentation for additional hardening guidance
- Contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for assistance with remediation planning
Evidence notes
The vulnerability description and affected product list are derived from CISA CSAF advisory ICSA-24-144-01, which identifies 12 affected product configurations across AutomationDirect's Productivity PLC product lines. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H indicates network-based attack with no privileges required, resulting in high availability impact but no confidentiality impact and low integrity impact.
Official resources
-
CVE-2024-24954 CVE record
CVE.org
-
CVE-2024-24954 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Coordinated disclosure via CISA ICS advisory ICSA-24-144-01 on May 23, 2024. No known exploitation in the wild has been reported.